A VPN system that works over TCP without TCP-over-TCP problems. On the local machine, a transparent proxy and some firewall rules to rewrite outgoing traffic to it; the transparent proxy reassembles TCP streams, and feeds the data over a multiplexed ssh link to a proxy running on another machine. Neat. It doesn't currently have an option to use SSH's built-in SOCKS support, though -- and it would be cool if it could be made to use an arbitrary SOCKS proxy (e.g. Tor's).

"Crossbear is a tool that aims to detect and localise Man-in-the-middle (MitM) attacks on the SSL/TLS [and SSH] protocols." It works by comparing the certificate you get with what others got from different locations. (I imagine CDNs will break this as usual...)

A neat approach to SSL certificate (etc.) validation: have multiple public databases mapping hostnames to certificates, which can be checked automatically. It's a bit of a pity that their plugins include binary libraries...